HackDatKiwiCTF 2015 - Gaychal

Gaychal

Web - 80 Points

I found some suspicious PHP code on my website. The code was attached to my theme’s footer file. It’s either the DRM of the theme, or a virus; however it’s encoded and I can’t figure it out. Do that for me please :)

Writeup

The challenge starts with an obfuscated php code. We started manually decoding each encoding layer, each using a slightly different encoding function. After 4 levels we realized it was not the best approach (php started complaining about memory allocation and we needed to put ini_set('memory_limit', '-1'); in every decoded level).